This guest post originally appeared on the Detectify blog.
At this year’s Black Hat USA, we caught up with Grant McCracken, Sr. Manager of Solutions Architecture at Bugcrowd and asked him about his thoughts on crowdsourced security, the evolution of ethical hacking, and the security community.
Photo of Grant McCracken, Sr. Manager of Solutions Architecture at Bugcrowd
What’s your background in security?
I started out in the industry as an Application Security Engineer at Whitehat Security, doing business logic assessments on web apps. I did that for a couple of years, and then quit to go travel the world. While I was out traveling, I was recruited by Bugcrowd to do triage and validation work on programs, which is one of the main offerings that Bugcrowd provides as a service, where we validate vulnerability reports as they come into the bug bounty programs we run on the platform. So, that’s what I did while I was travelling – I’d travel around to different cities and countries, validating vulnerabilities on the go, and using the money from validating to keep traveling. It was a pretty good arrangement for what it was. Once I finished traveling, I joined the customer success team as a Technical Account Manager, which I then turned into the Solutions Architect role. Now I manage both the Solutions Architect and Researcher Success teams; the Solutions Architects help launch programs and are the technical side of crowdsourced security, while the Researcher Success team helps take care of, and works with researchers.
Has ethical hacking changed over the last couple of years?
It’s absolutely grown over the last few years! When Bugcrowd first started back in the day, you had Google and a couple other of these big tech companies offering bug bounties. However, in the last few years, we’ve seen a ton of companies that you wouldn’t normally associate with crowdsourced security running bug bounty programs, or at least vulnerability disclosure programs: banks, credit card processors, car manufacturers, and so on. All these institutions are now embracing crowdsourced security en masse because they see substantial value in having a bug bounty program.
One of the fundamental tenets of crowdsourced security is that 50 people are always going to find more than the one or two pentesters that you’d typically hire. If the scope is big enough, we’ve never really had a program where no one found anything. When you open the scope wide enough, that’s when we start finding some really interesting vulnerabilities. It can be tempting to try and have a scope so small that there’s no real attack surface, but more and more we’re seeing people embracing vulnerability disclosure programs, and open-scope bounty programs – which is great! However, it’s also important to be aware that when starting a program the number of initial findings can easily become overwhelming, so it’s important to walk before going into a full sprint. Companies are often eager to go all-in and start out with a public bug bounty program, but it’s crucial to understand the implications, and be prepared to remediate a lot of vulnerabilities.
Obviously, there’s also a lot more ethical hackers doing bug bounties nowadays. People are making a living off of hacking and some of them make more than a living! In some countries, ethical hackers can make more money doing bounties than they ever could working a regular job and this is just one of the many ways crowdsourced security is growing.
We’re coming up on what feels like a tipping point where major organisations are starting to catch on with this model, and there’s going to be a threshold where having responsible disclosure program or a bug bounty will become as mainstream as running a scanner. One of the ways this is happening right now, is that many of our clients now have and utilize a vulnerability disclosure program that we helped set up and manage. It’s not a bug bounty, since they’re not giving out rewards, but it’s the first step towards leveraging the power of crowdsourced security, and it allows researchers to responsibly report a vulnerability.
What’s the most common misconception about crowdsourced security and bug bounty hunting?
The first, and most prevalent one out there is crowd fear, everyone (or at least most orgs) seem to be scared of the idea of the crowd. As a business owner, you’re hearing about this bug bounty thing, and you might be thinking, do I want people to hack me? The answer is yes!
Aside from the reality that black hat hackers as likely doing it already, if you have something on the publicly facing internet, someone is probably trying to break into it. The whole goal of running a bug bounty is to have people find vulnerabilities. Sometimes, even if they’re onboard with running a program, organisations are reluctant to give security researchers access, credentials, or documentation. But if our goal is to have a more secure product, we need to embrace the reality that we need to give researchers as much help as possible, so that they’re able to be effective in identifying issues.
There’s a substantial difference between ethical bug hunting and black hat hacking. If a hacker wants to do black hat hacking, they don’t need the permission from a bug bounty to do so. At the point where someone has decided to work on a bounty program, they’ve already made a conscious choice to play by the rules – whereas a black hat hacker can freely go hack something that doesn’t have a bug bounty program, since there’s a lot better chance of finding good vulnerabilities on an application nobody’s ever looked at.
“…50 people are always going to find more than the one or two pentesters…”
– McCracken on crowdsourced security
What’s been the coolest experience you have gotten out of the community?
I think finding the different ways we can leverage the crowd on a whole variety of programs. It’s not just simple, web-based bug bounty programs anymore. Now we’re running everything from vulnerability disclosure programs, to shipping physical IoT devices to researchers who then try to break them – not with a hammer but by finding vulnerabilities. We’re getting into these exciting new spaces: working with major OEM players, running CTF-style programs, and a whole lot of other things. On the whole, the real cool thing about security is not just seeing it grow, but also disrupting it. I’m not saying bug bounties are a panacea for everything in security, because they aren’t; but at the same time, this is a new model where we can do a lot more than a number of the incumbent strategies. There’s so much going on in this space, and we’re just getting started.
What does the future of crowdsourced security look like?
That’s hard to say, as any prediction regarding the future is guaranteed to be wrong! I think it’s obviously going to expand and continue to become more mainstream. Once you reach that tipping point, everybody ends up following and we’re going to see a ton more people getting onboard and running these programs, whether it’s disclosure with no rewards or bounties that do.
The next step and a big focus for Bugcrowd is helping companies remediate vulnerabilities. The biggest problem we see is that organisations simply can’t fix vulnerabilities fast enough. This is important not only for security, but also for researchers. If a researcher reports a vulnerability only to find out it was identified six or twelve months ago, it’ll frustrate them. Most researchers won’t continue working on a program that takes that long to fix vulnerabilities, as it increases the likelihood of duplications among other things. Beyond that, fixing things is the whole point of knowing about the issues in the first place. Until you’re remediating them, you’re not actually changing anything so once we don’t have all those vulnerabilities floating around anymore, that’s when we’re actually making things more secure.